Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
4
Replies

icmp problem

prudhvi83
Level 1
Level 1

‎05-07-2007 11:48 PM

hi...we have a checkpoint firewall at our site..and we have a pix firewall at my clients place...we connect to that using site -site vpn...the acl used to be any any...but we have added some ports to our clients fw and allowed icmp also...and we closed the remamining ports...after this we are not able to ping each other ....but we r able to reach the applications and they r working fine...wats the problem..

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎05-08-2007 12:32 AM

Hi

It's difficult to say without seeing configs. The only thing that springs to mind is that ICMP is not stateful in the way that TCP is and you have to let it in and out explicity.

Is there any chance that by updating your access-lists you have inadvertently stopped this.

HTH

Jon

0 Helpful

prudhvi83
Level 1
Level 1
In response to Jon Marshall

‎05-08-2007 12:40 AM

thanks jon...

we hav configured the acl statement to be acl intranet icmp any any...is there a problem ..bcoz...we both cant ping each other..we hav a chkpoint fw in our end...

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to prudhvi83

‎05-08-2007 12:59 AM

Hi

Do you mean pinging from a client on one network to a client on the other.

If your applications are working but icmp not and you have allowed icmp in then it sounds like icmp is getting blocked on the return path.

Could you send pix config (sanitised).

Jon

0 Helpful

swharvey
Level 3
Level 3
In response to Jon Marshall

‎05-16-2007 10:45 AM

Hi,

You may also ask the customer with the pix to run a debug icmp trace command, then preform tests to see the packets are processed. I will share that I am having problems pinging from our asa/pix as the source to devices inside the vpn tunnel at the other end. Pings do work fine however between devices connected behind the firewalls at both ends of the tunnel.

In my debugs, I found that the asa/pix sources it's address in the pings as the external public address associated to the outside interface.

Understandably this address should never be allowed to ping an internal private address on the the other end of the tunnel.

I am about to open a discussion forum inquiring on this as well as a tac case.

Good luck with your tests and please rate if this is helpful.

-Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents